Something that's known but not explicitly discussed in the v2.17.1 release notes, or tested for, is that v2.17.1 will still happily pass on evil .gitmodules objects by default to vulnerable downstream clients. This could happen e.g. if an in-house git hosting site is mirroring a remote repository that doesn't have transfer.fsckObjects turned on. Someone can remotely push evil data to that remote hosting site knowing that it's mirrored downstream, and the in-house mirror without transfer.fsckObjects will happily pass those evil objects along, even though it's been updated to v2.17.1. It's worth testing for this explicitly. So let's amend the tests added in 73c3f0f704 ("index-pack: check .gitmodules files with --strict", 2018-05-04) to show how this can result in a v2.17.1 client passing along the evil objects. Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@xxxxxxxxx> --- I guess this test is technically a bit redundant, but I think it's worth adding anyway since we're short in general on the subtle semantics of how *.fsckObjects acts in various situations, and so anyone reading the tests realizes that even a patched v2.17.1 can still be fooled to collude with evil in its default configuration. t/t7415-submodule-names.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/t/t7415-submodule-names.sh b/t/t7415-submodule-names.sh index a770d92a55..f35f98e956 100755 --- a/t/t7415-submodule-names.sh +++ b/t/t7415-submodule-names.sh @@ -93,6 +93,15 @@ test_expect_success 'transfer.fsckObjects detects evil superproject (index)' ' test_must_fail git push dst.git HEAD ' +test_expect_success 'transfer.fsckObjects needs to be on to protect downstream' ' + git init --bare intermediary.git && + git -C intermediary.git config transfer.fsckObjects false && + git -C intermediary.git fetch ../ master:master && + git init --bare downstream.git && + git -C downstream.git fetch ../intermediary.git && + test_must_fail git -C downstream.git fsck +' + # Normally our packs contain commits followed by trees followed by blobs. This # reverses the order, which requires backtracking to find the context of a # blob. We'll start with a fresh gitmodules-only tree to make it simpler. -- 2.17.0.290.gded63e768a